A. To filter and monitor ingress traffic to a switch
B. To configure an interface-specific packet trace
C. To simulate network traffic through a data path
D. To debug packet drops in a production network
E. To automatically correct an ACL entry in an ASA
Answer: C and D.
Per Cisco command documentation, the packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example, if a packet was dropped because of an invalid header validation, a message is displayed that says, “packet dropped due to bad ip header (reason).”
The packet-tracer command can generate packets based on the 5 tuple information—source IP, destination IP, source port, destination port and protocol. The packet tracer does not populate the data part of the packet and as a result some engine checks will not be applicable. The packet tracer will show that the packet is dropped not because it did not pass the inspection checks but because there is not enough data to test against the inspection checks.
Cisco White Papers